Researchers at Censys discovered a previously undocumented Russian-origin toolkit called CTRL, distributed through Windows shortcut files disguised as private key folders. Once a victim double-clicks the LNK file, a multi-stage chain deploys credential harvesting through a fake Windows Hello PIN prompt, a keylogger, RDP session hijacking, and reverse proxy tunneling. All stolen data exits through the RDP tunnel, leaving minimal forensic traces compared to traditional command-and-control patterns.
The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.